Hacking Back - Is It Legal?

As any business executive whose organization has been victimized by cyber wrongdoers knows, suffering from a cyber-attack of any significance can be frustrating at best, and devastating at worst. Often, the extent of the intrusion may not be easy to determine. Wrongdoers may be difficult (or impossible) to identify, and the proactive legal options available to the executive may be limited. As one executive lamented, “How do I sue a hacker based in North Korea?” In light of this reality, business executives may be tempted to engage in “hacking back” or other forms of cyber-vigilantism, if only to teach hackers a good lesson. Tempting as it may be, however, under current law, “hacking back” can cause substantial legal harm as well as reputational backlash when done without carrying out an extremely careful factual and legal analysis of the proposed activity.

Is “hacking back” legal? It all depends on precisely what activity the victim proposes to take. While the answer is highly fact-specific (after all, there are many definitions of “hacking,” let alone “hacking back”), certain parameters of conduct do exist. For example, at one end of the spectrum, looking at one’s own computer logs to determine the originating IP address of the hacker, or monitoring the wrongdoers’ activities on one’s own systems are unlikely to be illegal. At the other end of spectrum, implementing a virus or a malicious program into the hacker’s computer to damage that computer or even just to retrieve your stolen data is almost uncertainly unlawful under existing law. In between, there are many possible responses that might prompt federal or state prosecutors to initiate a criminal investigation and prosecution of a cyber-vigilante.

While a comprehensive analysis of all applicable hacking laws is beyond the scope of this note, in any hacking back scenario it is critical to keep in mind the Computer Fraud and Abuse Act (CFAA) enacted in 1986, and codified at Title 18, United States Code, Section 1030. Among other things, the CFAA broadly prohibits intentionally accessing a computer without authorization and obtaining information from any protected computer, or accessing a protected computer and causing damage to that computer. The law provides for criminal penalties including fines and sentences of imprisonment. Civil damages are also available in certain circumstances to injured parties – and in theory could be awarded to hackers injured in the “hack back.”

Perhaps most importantly, the CFAA currently does not allow for vigilantism -- cyber or otherwise. Simply put, the fact you have been hacked will not be a valid defense to a criminal prosecution for “hacking back.” And as prosecutors typically look quite unfavorably on vigilantism in the physical world, so too can it be expected that most will look unfavorably on cyber-vigilantism. It is therefore imperative for business executives tempted to engage in anyquestionable activities on or affecting computers belonging to others -- even cyber-criminals -- to consult with experienced counsel in this area before undertaking such activities. Caution is needed and your reaction to hacking should be limited to gathering of evidence and protection of your networks.